The example in the Best Practices document is purely notional since it does not have a server side component. The concept with the authToken is that when you make the call to your login service, it would create a unique token to be used in subsequent requests (like a session id). That would be added to the LoginVO returned by the service, and stored by the LoginProxy on the client so that subsequent calls to the server could use that token. Other actors that retrieve the login proxy could tell if you are logged in or not by checking the loggedIn getter on the LoginProxy, which in turn checks to see that an authToken is present. That token can be retrieved directly from the proxy's authToken getter, so other actors don't need to know to get the loginVO and pluck the authToken from it. Once logged in, your other service calls would just need to include that token instead of full credentials.